[Freeipa-users] Re: error in FreeIPA UI login page

2019-06-10 Thread Elham Sadat Azarian via FreeIPA-users 
Hi. its the ipaclient-install.log

2019-06-11T04:45:38Z DEBUG Logging to /var/log/ipaclient-install.log
2019-06-11T04:45:38Z DEBUG ipa-client-install was invoked with arguments [] and 
options: {'no_dns_sshfp': False, 'force': False, 'verbose': False, 
'ip_addresses': None, 'configure_firefox': False, 'realm_name': 'SHS.DC', 
'force_ntpd': False, 'on_master': True, 'no_nisdomain': False, 'ssh_trust_dns': 
False, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 
'shs.dc', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 
'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': False, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': ['ipa-irvlt01.shs.dc'], 'no_ssh': False, 'force_join': False, 
'firefox_dir': None, 'unattended': True, 'quiet': False, 'nisdomain': None, 
'prompt_password': False, 'host_name': 'ipa-irvlt01.shs.dc', 'permit': False, 
'automount_location': None, 'preserve_sssd': False, 'mkhomedir': False, 
'log_file': None, 'uninstall': False}
2019-06-11T04:45:38Z DEBUG IPA version 4.6.4-10.el7.centos.3
2019-06-11T04:45:38Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z DEBUG Starting external process
2019-06-11T04:45:38Z DEBUG args=/usr/sbin/selinuxenabled
2019-06-11T04:45:38Z DEBUG Process finished, return code=1
2019-06-11T04:45:38Z DEBUG stdout=
2019-06-11T04:45:38Z DEBUG stderr=
2019-06-11T04:45:38Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2019-06-11T04:45:38Z DEBUG [IPA Discovery]
2019-06-11T04:45:38Z DEBUG Starting IPA discovery with domain=shs.dc, 
servers=['ipa-irvlt01.shs.dc'], hostname=ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG Server and domain forced
2019-06-11T04:45:38Z DEBUG [Kerberos realm search]
2019-06-11T04:45:38Z DEBUG Kerberos realm forced
2019-06-11T04:45:38Z DEBUG [LDAP server check]
2019-06-11T04:45:38Z DEBUG Verifying that ipa-irvlt01.shs.dc (realm SHS.DC) is 
an IPA server
2019-06-11T04:45:38Z DEBUG Init LDAP connection to: 
ldap://ipa-irvlt01.shs.dc:389
2019-06-11T04:45:38Z DEBUG Search LDAP server for IPA base DN
2019-06-11T04:45:38Z DEBUG Check if naming context 'dc=shs,dc=dc' is for IPA
2019-06-11T04:45:38Z DEBUG Naming context 'dc=shs,dc=dc' is a valid IPA context
2019-06-11T04:45:38Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=shs,dc=dc (sub)
2019-06-11T04:45:38Z DEBUG Found: cn=SHS.DC,cn=kerberos,dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG Discovery result: Success; 
server=ipa-irvlt01.shs.dc, domain=shs.dc, kdc=ipa-irvlt01.shs.dc, 
basedn=dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG Validated servers: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG will use discovered domain: shs.dc
2019-06-11T04:45:38Z DEBUG Using servers from command line, disabling DNS 
discovery
2019-06-11T04:45:38Z DEBUG will use provided server: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG will use discovered realm: SHS.DC
2019-06-11T04:45:38Z DEBUG will use discovered basedn: dc=shs,dc=dc
2019-06-11T04:45:38Z INFO Client hostname: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG Hostname source: Provided as option
2019-06-11T04:45:38Z INFO Realm: SHS.DC
2019-06-11T04:45:38Z DEBUG Realm source: Discovered from LDAP DNS records in 
ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z INFO DNS Domain: shs.dc
2019-06-11T04:45:38Z DEBUG DNS Domain source: Forced
2019-06-11T04:45:38Z INFO IPA Server: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG IPA Server source: Provided as option
2019-06-11T04:45:38Z INFO BaseDN: dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG BaseDN source: From IPA server 
ldap://ipa-irvlt01.shs.dc:389
2019-06-11T04:45:38Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-06-11T04:45:38Z INFO Skipping synchronizing time with NTP server.
2019-06-11T04:45:38Z DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'
2019-06-11T04:45:38Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't 
exist
2019-06-11T04:45:38Z INFO New SSSD config will be created
2019-06-11T04:45:38Z DEBUG Backing up system configuration file 
'/etc/nsswitch.conf'
2019-06-11T04:45:38Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z INFO Configured sudoers in /etc/nsswitch.conf
2019-06-11T04:45:38Z INFO Configured /etc/sssd/sssd.conf
2019-06-11T04:45:38Z DEBUG Initializing principal 
host/ipa-irvlt01.shs...@shs.dc using keytab /etc/krb5.keytab
2019-06-11T04:45:38Z DEBUG using ccache /etc/ipa/.dns_ccache
2019-06-11T04:45:38Z DEBUG Attempt 1/5: success
2019-06-11T04:45:39Z DEBUG Starting external process
2019-06-11T04:45:39Z DEBUG args=/usr/bin/certutil -d dbm:/tmp/tmp1H6ZBB -N -f 
/tmp/tmp1H6ZBB/pwdfile.txt -f /tmp/tmp1H6ZBB/pwdfile.txt
2019-06-11T04:45:39Z DEBUG Process finished, return code=0
2019-06-11T04:45:39

[Freeipa-users] Error in FreeIPA UI login page

2019-06-10 Thread Elham Sadat Azarian via FreeIPA-users 
Hi 
Following my last post about error in login page("Invalid CA renewal master. 
All masters must have CA server role enabled"), you said it's duo to client 
installation failed.so i attached log of client installation. 
i will appreciate if you help me about the error.Thanks


ipaclient-install.log
Description: Binary data
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: IPA users and local groups question

2019-06-10 Thread Elham Sadat Azarian via FreeIPA-users 
this is ipaclient-install.log

2019-06-11T04:45:38Z DEBUG Logging to /var/log/ipaclient-install.log
2019-06-11T04:45:38Z DEBUG ipa-client-install was invoked with arguments [] and 
options: {'no_dns_sshfp': False, 'force': False, 'verbose': False, 
'ip_addresses': None, 'configure_firefox': False, 'realm_name': 'SHS.DC', 
'force_ntpd': False, 'on_master': True, 'no_nisdomain': False, 'ssh_trust_dns': 
False, 'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 
'shs.dc', 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 
'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': False, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': ['ipa-irvlt01.shs.dc'], 'no_ssh': False, 'force_join': False, 
'firefox_dir': None, 'unattended': True, 'quiet': False, 'nisdomain': None, 
'prompt_password': False, 'host_name': 'ipa-irvlt01.shs.dc', 'permit': False, 
'automount_location': None, 'preserve_sssd': False, 'mkhomedir': False, 
'log_file': None, 'uninstall': False}
2019-06-11T04:45:38Z DEBUG IPA version 4.6.4-10.el7.centos.3
2019-06-11T04:45:38Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z DEBUG Starting external process
2019-06-11T04:45:38Z DEBUG args=/usr/sbin/selinuxenabled
2019-06-11T04:45:38Z DEBUG Process finished, return code=1
2019-06-11T04:45:38Z DEBUG stdout=
2019-06-11T04:45:38Z DEBUG stderr=
2019-06-11T04:45:38Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2019-06-11T04:45:38Z DEBUG [IPA Discovery]
2019-06-11T04:45:38Z DEBUG Starting IPA discovery with domain=shs.dc, 
servers=['ipa-irvlt01.shs.dc'], hostname=ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG Server and domain forced
2019-06-11T04:45:38Z DEBUG [Kerberos realm search]
2019-06-11T04:45:38Z DEBUG Kerberos realm forced
2019-06-11T04:45:38Z DEBUG [LDAP server check]
2019-06-11T04:45:38Z DEBUG Verifying that ipa-irvlt01.shs.dc (realm SHS.DC) is 
an IPA server
2019-06-11T04:45:38Z DEBUG Init LDAP connection to: 
ldap://ipa-irvlt01.shs.dc:389
2019-06-11T04:45:38Z DEBUG Search LDAP server for IPA base DN
2019-06-11T04:45:38Z DEBUG Check if naming context 'dc=shs,dc=dc' is for IPA
2019-06-11T04:45:38Z DEBUG Naming context 'dc=shs,dc=dc' is a valid IPA context
2019-06-11T04:45:38Z DEBUG Search for (objectClass=krbRealmContainer) in 
dc=shs,dc=dc (sub)
2019-06-11T04:45:38Z DEBUG Found: cn=SHS.DC,cn=kerberos,dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG Discovery result: Success; 
server=ipa-irvlt01.shs.dc, domain=shs.dc, kdc=ipa-irvlt01.shs.dc, 
basedn=dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG Validated servers: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG will use discovered domain: shs.dc
2019-06-11T04:45:38Z DEBUG Using servers from command line, disabling DNS 
discovery
2019-06-11T04:45:38Z DEBUG will use provided server: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG will use discovered realm: SHS.DC
2019-06-11T04:45:38Z DEBUG will use discovered basedn: dc=shs,dc=dc
2019-06-11T04:45:38Z INFO Client hostname: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG Hostname source: Provided as option
2019-06-11T04:45:38Z INFO Realm: SHS.DC
2019-06-11T04:45:38Z DEBUG Realm source: Discovered from LDAP DNS records in 
ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z INFO DNS Domain: shs.dc
2019-06-11T04:45:38Z DEBUG DNS Domain source: Forced
2019-06-11T04:45:38Z INFO IPA Server: ipa-irvlt01.shs.dc
2019-06-11T04:45:38Z DEBUG IPA Server source: Provided as option
2019-06-11T04:45:38Z INFO BaseDN: dc=shs,dc=dc
2019-06-11T04:45:38Z DEBUG BaseDN source: From IPA server 
ldap://ipa-irvlt01.shs.dc:389
2019-06-11T04:45:38Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2019-06-11T04:45:38Z INFO Skipping synchronizing time with NTP server.
2019-06-11T04:45:38Z DEBUG Backing up system configuration file 
'/etc/sssd/sssd.conf'
2019-06-11T04:45:38Z DEBUG   -> Not backing up - '/etc/sssd/sssd.conf' doesn't 
exist
2019-06-11T04:45:38Z INFO New SSSD config will be created
2019-06-11T04:45:38Z DEBUG Backing up system configuration file 
'/etc/nsswitch.conf'
2019-06-11T04:45:38Z DEBUG Saving Index File to 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2019-06-11T04:45:38Z INFO Configured sudoers in /etc/nsswitch.conf
2019-06-11T04:45:38Z INFO Configured /etc/sssd/sssd.conf
2019-06-11T04:45:38Z DEBUG Initializing principal 
host/ipa-irvlt01.shs...@shs.dc using keytab /etc/krb5.keytab
2019-06-11T04:45:38Z DEBUG using ccache /etc/ipa/.dns_ccache
2019-06-11T04:45:38Z DEBUG Attempt 1/5: success
2019-06-11T04:45:39Z DEBUG Starting external process
2019-06-11T04:45:39Z DEBUG args=/usr/bin/certutil -d dbm:/tmp/tmp1H6ZBB -N -f 
/tmp/tmp1H6ZBB/pwdfile.txt -f /tmp/tmp1H6ZBB/pwdfile.txt
2019-06-11T04:45:39Z DEBUG Process finished, return code=0
2019-06-11T04:45:39Z DE

[Freeipa-users] Re: krb5_child always reports going offline when trying to login

2019-06-10 Thread Robert Sturrock via FreeIPA-users 
OK, here is the output (quite slow in doing the second kinit but did succeed in 
the end):

# KRB5CCNAME=FILE:/tmp/armor_ccache kinit -k 
'host/ipa-server.localdomain@LOCALREALM'
# KRB5_TRACE=/dev/stdout kinit -T FILE:/tmp/armor_ccache rns@LOCALREALM
[59156] 1560216478.835910: Getting initial credentials for rns@LOCALREALM
[59156] 1560216478.835911: FAST armor ccache: FILE:/tmp/armor_ccache
[59156] 1560216478.835912: Retrieving host/ipa-server.localdomain@LOCALREALM -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/LOCALREALM\@LOCALREALM@X-CACHECONF: 
from FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835913: Read config in FILE:/tmp/armor_ccache for 
krbtgt/LOCALREALM@LOCALREALM: fast_avail: yes
[59156] 1560216478.835914: Using FAST due to armor ccache negotiation result
[59156] 1560216478.835915: Getting credentials 
host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM using 
ccache FILE:/tmp/armor_ccache
[59156] 1560216478.835916: Retrieving host/ipa-server.localdomain@LOCALREALM -> 
krbtgt/LOCALREALM@LOCALREALM from FILE:/tmp/armor_ccache with result: 0/Success
[59156] 1560216478.835917: Armor ccache sesion key: aes256-cts/DD29
[59156] 1560216478.835919: Creating authenticator for 
host/ipa-server.localdomain@LOCALREALM -> krbtgt/LOCALREALM@LOCALREALM, seqnum 
0, subkey aes256-cts/F86D, session key aes256-cts/DD29
[59156] 1560216478.835921: FAST armor key: aes256-cts/6B25
[59156] 1560216478.835923: Sending unauthenticated request
[59156] 1560216478.835924: Encoding request body and padata into FAST request
[59156] 1560216478.835925: Sending request (1790 bytes) to LOCALREALM
[59156] 1560216478.835926: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216478.835927: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216488.846431: Sending initial UDP request to dgram 172.22.6.6:88
[59156] 1560216491.848556: Sending retry UDP request to dgram 172.22.6.6:88
[59156] 1560216494.267665: Received answer (640 bytes) from dgram 172.22.6.6:88
[59156] 1560216494.267666: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216494.267667: Response was from master KDC
[59156] 1560216494.267668: Received error from KDC: -1765328359/Additional 
pre-authentication required
[59156] 1560216494.267669: Decoding FAST response
[59156] 1560216494.267672: Preauthenticating using KDC method data
[59156] 1560216494.267673: Processing preauth types: PA-PK-AS-REQ (16), 
PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 
(19), PA-PKINIT-KX (147), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), 
PA-FX-ERROR (137)
[59156] 1560216494.267674: Selected etype info: etype aes256-cts, salt 
";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216494.267675: Received cookie: MIT
[59156] 1560216494.267676: PKINIT client has no configured identity; giving up
[59156] 1560216494.267677: Preauth module pkinit (147) (info) returned: 
0/Success
[59156] 1560216494.267678: PKINIT client has no configured identity; giving up
[59156] 1560216494.267679: Preauth module pkinit (16) (real) returned: 
22/Invalid argument
[59156] 1560216494.267680: PKINIT client has no configured identity; giving up
[59156] 1560216494.267681: Preauth module pkinit (14) (real) returned: 
22/Invalid argument
Password for rns@LOCALREALM:
[59156] 1560216500.214090: Preauth module encrypted_challenge (138) (real) 
returned: 0/Success
[59156] 1560216500.214091: Produced preauth for next request: PA-FX-COOKIE 
(133), PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214092: Encoding request body and padata into FAST request
[59156] 1560216500.214093: Sending request (1889 bytes) to LOCALREALM
[59156] 1560216500.214094: Initiating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214095: Sending TCP request to stream 172.22.6.6:88
[59156] 1560216500.214096: Received answer (1101 bytes) from stream 
172.22.6.6:88
[59156] 1560216500.214097: Terminating TCP connection to stream 172.22.6.6:88
[59156] 1560216500.214098: Response was not from master KDC
[59156] 1560216500.214099: Decoding FAST response
[59156] 1560216500.214100: Processing preauth types: PA-ETYPE-INFO2 (19), 
PA-ENCRYPTED-CHALLENGE (138)
[59156] 1560216500.214101: Selected etype info: etype aes256-cts, salt 
";A*b)Z`R_}=lEJ&a", params ""
[59156] 1560216500.214102: Preauth module encrypted_challenge (138) (real) 
returned: 0/Success
[59156] 1560216500.214103: Produced preauth for next request: (empty)
[59156] 1560216500.214104: AS key determined by preauth: aes256-cts/F080
[59156] 1560216500.214105: FAST reply key: aes256-cts/6C07
[59156] 1560216500.214106: Decrypted AS reply; session key is: aes256-cts/3A0A
[59156] 1560216500.214107: FAST negotiation: available
[59156] 1560216500.214108: Initializing KEYRING:persistent:0:0 with default 
princ rns@LOCALREALM
[59156] 1560216500.214109: Storing rns@LOCALREALM -> 
krbtgt/LOCALREALM@LOCALREALM in KEYRING:persistent:0:0
[59156] 1560216500.214110: Storing config in KEYRING:persistent:0:0 for

[Freeipa-users] Re: Interaction with web services is crashing ipa

2019-06-10 Thread Rob Crittenden via FreeIPA-users 
Marc Boorshtein via FreeIPA-users wrote:
> Seeing a very odd issue.  When we make webservices calls to IPA sssd
> crashes.  this started happening within the last few days after
> onboarding new members (hosts, not people)  of the domain.  I'm
> wondering if there's some kind of database corruption?  The ldap
> services are all OK.  Here's the error logs from /var/log/messages:

You should install the sssd debuginfo and use the core to get a
backtrace then open a BZ against sssd.

Since this is reproducible bumping up the sssd log level could provide
additional context when you file the BZ.

rob

> 
> Jun 10 16:24:51 freeipa1 abrt-hook-ccpp: Process 2823 (sssd_be) of user
> 0 killed by SIGABRT - dumping core
> Jun 10 16:24:51 freeipa1 sssd[be[data.domain.com
> ]]: Starting up
> Jun 10 16:24:51 freeipa1 abrt-server: Duplicate: core backtrace
> Jun 10 16:24:51 freeipa1 abrt-server: DUP_OF_DIR:
> /var/spool/abrt/ccpp-2019-06-07-12:08:45-936
> Jun 10 16:24:51 freeipa1 abrt-server: Deleting problem directory
> ccpp-2019-06-10-16:24:51-2823 (dup of ccpp-2019-06-07-12:08:45-936)
> Jun 10 16:24:51 freeipa1 dbus[874]: [system] Activating service
> name='org.freedesktop.problems' (using servicehelper)
> Jun 10 16:24:51 freeipa1 dbus[874]: [system] Successfully activated
> service 'org.freedesktop.problems'
> Jun 10 16:24:51 freeipa1 abrt-server: Email address of sender was not
> specified. Would you like to do so now? If not, 'user@localhost' is to
> be used [y/N]
> Jun 10 16:24:51 freeipa1 abrt-server: Email address of receiver was not
> specified. Would you like to do so now? If not, 'root@localhost' is to
> be used [y/N]
> Jun 10 16:24:51 freeipa1 abrt-server: Sending an email...
> Jun 10 16:24:51 freeipa1 abrt-server: Sending a notification email to:
> root@localhost
> Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabftFudt
> Jun 10 16:24:51 freeipa1 abrt-server: Email was sent to: root@localhost
> Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabgUy4NG
> Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabZAy7NU
> Jun 10 16:24:52 freeipa1 abrt-hook-ccpp: Process 2845 (sssd_be) of user
> 0 killed by SIGABRT - ignoring (repeated crash)
> Jun 10 16:24:54 freeipa1 sssd[be[data.domain.com
> ]]: Starting up
> Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabiaqYNk
> Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabY4XRrH
> Jun 10 16:24:55 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytab5Qenw4
> Jun 10 16:24:57 freeipa1 abrt-hook-ccpp: Process 2871 (sssd_be) of user
> 0 killed by SIGABRT - ignoring (repeated crash)
> Jun 10 16:25:01 freeipa1 sssd[be[data.domain.com
> ]]: Starting up
> Jun 10 16:25:01 freeipa1 systemd: Created slice User Slice of pcp.
> Jun 10 16:25:01 freeipa1 systemd: Starting User Slice of pcp.
> Jun 10 16:25:01 freeipa1 systemd: Started Session 9 of user pcp.
> Jun 10 16:25:01 freeipa1 systemd: Starting Session 9 of user pcp.
> Jun 10 16:25:01 freeipa1 systemd: Removed slice User Slice of pcp.
> Jun 10 16:25:01 freeipa1 systemd: Stopping User Slice of pcp.
> Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabDhS9wO
> Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored
> in: /var/lib/sss/keytabs/domain.com.keytabXv4vAK
> Jun 10 16:25:11 freeipa1 abrt-hook-ccpp: Process 2888 (sssd_be) of user
> 0 killed by SIGABRT - dumping core
> Jun 10 16:25:11 freeipa1 sssd: Exiting the SSSD. Could not restart
> critical service [data.domain.com ].
> Jun 10 16:25:11 freeipa1 sssd[pac]: Shutting down
> Jun 10 16:25:11 freeipa1 sssd[ssh]: Shutting down
> Jun 10 16:25:11 freeipa1 sssd[pam]: Shutting down
> Jun 10 16:25:11 freeipa1 sssd[ifp]: Shutting down
> Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] =
> org path[1] = freedesktop) which isn't registered
> Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] =
> org path[1] = freedesktop) which isn't registered
> Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] =
> org path[1] = freedesktop) which isn't registered
> Jun 10 16:25:11 freeipa1 sssd[nss]: Shutting down
> Jun 10 16:25:11 freeipa1 sssd[sudo]: Shutting down
> Jun 10 16:25:11 freeipa1 systemd: sssd.service: main process exited,
> code=exited, status=1/FAILURE
> Jun 10 16:25:11 freeipa1 systemd: Unit sssd.service entered failed state.
> Jun 10 16:25:11 freeipa1 systemd: sssd.service failed.
> Jun 10 16:25:11 freeipa1 abrt-server: Duplicate: core backtrace
> Jun 10 16:25:11 freeipa1 abrt-server: D

[Freeipa-users] Interaction with web services is crashing ipa

2019-06-10 Thread Marc Boorshtein via FreeIPA-users 
Seeing a very odd issue.  When we make webservices calls to IPA sssd
crashes.  this started happening within the last few days after onboarding
new members (hosts, not people)  of the domain.  I'm wondering if there's
some kind of database corruption?  The ldap services are all OK.  Here's
the error logs from /var/log/messages:

Jun 10 16:24:51 freeipa1 abrt-hook-ccpp: Process 2823 (sssd_be) of user 0
killed by SIGABRT - dumping core
Jun 10 16:24:51 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:24:51 freeipa1 abrt-server: Duplicate: core backtrace
Jun 10 16:24:51 freeipa1 abrt-server: DUP_OF_DIR:
/var/spool/abrt/ccpp-2019-06-07-12:08:45-936
Jun 10 16:24:51 freeipa1 abrt-server: Deleting problem directory
ccpp-2019-06-10-16:24:51-2823 (dup of ccpp-2019-06-07-12:08:45-936)
Jun 10 16:24:51 freeipa1 dbus[874]: [system] Activating service
name='org.freedesktop.problems' (using servicehelper)
Jun 10 16:24:51 freeipa1 dbus[874]: [system] Successfully activated service
'org.freedesktop.problems'
Jun 10 16:24:51 freeipa1 abrt-server: Email address of sender was not
specified. Would you like to do so now? If not, 'user@localhost' is to be
used [y/N]
Jun 10 16:24:51 freeipa1 abrt-server: Email address of receiver was not
specified. Would you like to do so now? If not, 'root@localhost' is to be
used [y/N]
Jun 10 16:24:51 freeipa1 abrt-server: Sending an email...
Jun 10 16:24:51 freeipa1 abrt-server: Sending a notification email to:
root@localhost
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabftFudt
Jun 10 16:24:51 freeipa1 abrt-server: Email was sent to: root@localhost
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabgUy4NG
Jun 10 16:24:51 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabZAy7NU
Jun 10 16:24:52 freeipa1 abrt-hook-ccpp: Process 2845 (sssd_be) of user 0
killed by SIGABRT - ignoring (repeated crash)
Jun 10 16:24:54 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabiaqYNk
Jun 10 16:24:54 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabY4XRrH
Jun 10 16:24:55 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytab5Qenw4
Jun 10 16:24:57 freeipa1 abrt-hook-ccpp: Process 2871 (sssd_be) of user 0
killed by SIGABRT - ignoring (repeated crash)
Jun 10 16:25:01 freeipa1 sssd[be[data.domain.com]]: Starting up
Jun 10 16:25:01 freeipa1 systemd: Created slice User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Starting User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Started Session 9 of user pcp.
Jun 10 16:25:01 freeipa1 systemd: Starting Session 9 of user pcp.
Jun 10 16:25:01 freeipa1 systemd: Removed slice User Slice of pcp.
Jun 10 16:25:01 freeipa1 systemd: Stopping User Slice of pcp.
Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabDhS9wO
Jun 10 16:25:07 freeipa1 sssd: Keytab successfully retrieved and stored in:
/var/lib/sss/keytabs/domain.com.keytabXv4vAK
Jun 10 16:25:11 freeipa1 abrt-hook-ccpp: Process 2888 (sssd_be) of user 0
killed by SIGABRT - dumping core
Jun 10 16:25:11 freeipa1 sssd: Exiting the SSSD. Could not restart critical
service [data.domain.com].
Jun 10 16:25:11 freeipa1 sssd[pac]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[ssh]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[pam]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[ifp]: Shutting down
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd: Attempted to unregister path (path[0] = org
path[1] = freedesktop) which isn't registered
Jun 10 16:25:11 freeipa1 sssd[nss]: Shutting down
Jun 10 16:25:11 freeipa1 sssd[sudo]: Shutting down
Jun 10 16:25:11 freeipa1 systemd: sssd.service: main process exited,
code=exited, status=1/FAILURE
Jun 10 16:25:11 freeipa1 systemd: Unit sssd.service entered failed state.
Jun 10 16:25:11 freeipa1 systemd: sssd.service failed.
Jun 10 16:25:11 freeipa1 abrt-server: Duplicate: core backtrace
Jun 10 16:25:11 freeipa1 abrt-server: DUP_OF_DIR:
/var/spool/abrt/ccpp-2019-06-07-12:08:45-936
Jun 10 16:25:11 freeipa1 abrt-server: Deleting problem directory
ccpp-2019-06-10-16:25:11-2888 (dup of ccpp-2019-06-07-12:08:45-936)
Jun 10 16:25:11 freeipa1 abrt-server: Email address of sender was not
specified. Would you like to do so now? If not, 'user@localhost' is to be
used [y/N]
Jun 10 16:25:11 freeipa1 abrt-server: Email address of receiver was not
specified. Would you like to do so now? If not, 'root@localhost' is to be
used [y/N]
Jun 10 16:25:11 freeipa1

[Freeipa-users] Hi

2019-06-10 Thread Elhamsadat Azarian via FreeIPA-users 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: error in FreeIPA UI login page

2019-06-10 Thread Rob Crittenden via FreeIPA-users 
Elhamsadat Azarian wrote:
> Hi Rob
> Thanks for your email.
> But i installed Ipa-server. I dont know why it try to install client
> components!

The client installer is needed because sssd, etc needs to be configured
on a server as well.

The error you are seeing is because the client installation failed the
server installation is not complete.

> Client hostname is set to ipa server hostname and i dont know when i
> give it client hostname and how can i change it.

A separate hostname is not needed. The server is a client of itself.

rob

> 
> On Mon, 10 Jun 2019, 16:56 Rob Crittenden,  > wrote:
> 
> Elhamsadat Azarian via FreeIPA-users wrote:
> > Dear friends
> > I instalked freeIPA on centos 7 with external DNS and internal CA
> server.
> > It finished successfuly but with a failed message about installing
> client components!
> > Anyway i open a web browser and browse freeipa page. It showed and
> i add exeption for certificate.
> > Then login page appeared. I inserted admin user and pasdword but
> it showed error. "Invalid CA renewal master. All masters must have
> CA server role enabled"
> 
> It didn't install successfully if the client configuration failed.
> You'll need to look at /var/log/ipaclient-install.log to see why it
> failed.
> 
> rob
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: error in FreeIPA UI login page

2019-06-10 Thread Rob Crittenden via FreeIPA-users 
Elhamsadat Azarian via FreeIPA-users wrote:
> Dear friends
> I instalked freeIPA on centos 7 with external DNS and internal CA server.
> It finished successfuly but with a failed message about installing client 
> components!
> Anyway i open a web browser and browse freeipa page. It showed and i add 
> exeption for certificate.
> Then login page appeared. I inserted admin user and pasdword but it showed 
> error. "Invalid CA renewal master. All masters must have CA server role 
> enabled"

It didn't install successfully if the client configuration failed.
You'll need to look at /var/log/ipaclient-install.log to see why it failed.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] error in FreeIPA UI login page

2019-06-10 Thread Elhamsadat Azarian via FreeIPA-users 
Dear friends
I instalked freeIPA on centos 7 with external DNS and internal CA server.
It finished successfuly but with a failed message about installing client 
components!
Anyway i open a web browser and browse freeipa page. It showed and i add 
exeption for certificate.
Then login page appeared. I inserted admin user and pasdword but it showed 
error. "Invalid CA renewal master. All masters must have CA server role enabled"
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Full chain with ipa-getcert request

2019-06-10 Thread Josip Domšić via FreeIPA-users 
HI Rob,

Thank, that's what I came up as well, but wanted to make sure there really
isn't a simpler way.

Regarding the nginx example. It's not really a nginx issue, it's how the
whole PKI works.
Let's say we have Root -> Intermediate -> Server cert chain.
Client trusts the root CA, and server sends server CA on each request.
If the client doesn't know about the intermediate (either by having it
saved in trust, or receiving it from client on each request) the chain is
invalid.
So to combat this issue, server should transmit 2 certificates on each
request (e.g. "bundle" them together).


On Fri, Jun 7, 2019 at 5:06 PM Rob Crittenden  wrote:

> Josip Domšić via FreeIPA-users wrote:
> > Bundle  = server.cert + intermediate-ipa.cert.
> >
> > Currently, I figured to distribute rootCA to all clients, and each
> > server (e.g. nginx) has to serve a bundle (server.cert + intermediate).
> > The issue with my work flow is: when ipa-getcert generates a
> > certificate, it doesn't include intermediate-ipa.cert.
> > So, I have to manually parse */etc/ipa/ca.crt* for a intermediate and
> > include it in server.cert.
> >
> > Am I making any sense?
>
> I don't know why nginx requires this but what you could could try is
> write a post-install script (-C) that executes when certmonger saves the
> updated certificate that will add the intermediate certificate(s) as
> required by nginix. You can pull the intermediates out of
> /etc/ipa/ca.crt by excluding the root (issuer == subject).
>
> rob
>
> >
> >
> > On Thu, Jun 6, 2019 at 7:48 PM Rob Crittenden  > > wrote:
> >
> > Jo Domsic via FreeIPA-users wrote:
> > > Hi,
> > >
> > > I've deployed FreeIPA and now am trying to use ipa-getcert.
> > > FreeIPA has been deployed with external CA, and the root CA cert
> > has been deployed to all servers.
> > > FreeIPA is acting as an intermediate ssl authority.
> > >
> > > So, when I run ipa-getcert request  I generate ssl key
> > (server.key) and receive vaild ssl cert (server.cert).
> > > However the certificate in not quite valid, since it's missing the
> > intermediate certificate in the server.cert bundle.
> > > Is there a way (e.g. flag or a feature) to include
> > intermediate.cert to server.cert?
> >
> > Missing in what bundle?
> >
> > There is a way, -R, but it is broken for this use case,
> > https://bugzilla.redhat.com/show_bug.cgi?id=1710632
> >
> > > Or better yet: how did you envision the whole PKI with FreeIPA as
> > intermediate certificate?
> >
> > It should still work fine. The whole chain should be trusted
> > system-wide.
> >
> > rob
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org